[caops-wg] Comment for Auditing Guidelines Doc.
Yoshio Tanaka
yoshio.tanaka at aist.go.jp
Tue Sep 16 22:14:49 CDT 2008
Hi Scott,
Thanks for the prompt reply. I understand.
Do you think the draft should be revised to avoid misunderstanding?
Or, do you think the current draft should be ok?
Regards,
--
Yoshio Tanaka (yoshio.tanaka at aist.go.jp)
http://ninf.apgrid.org/
http://www.apgridpma.org/
From: Scott Rea <Scott.Rea at Dartmouth.EDU>
Subject: Re: [caops-wg] Comment for Auditing Guidelines Doc.
Date: Tue, 16 Sep 2008 21:43:26 -0400
Message-ID: <48D060BE.50809 at Dartmouth.edu>
> G'day Yoshio et al,
>
> The dot point list was not meant as a list of "requirements" - it was
> merely a list of "considerations" when determining qualification
> requirements.
> The real requirements are in the text of the initial paragraph above
> i.e. essentially the auditor should be competent, independent,
> understand PKIs, understand auditing methods, and understand IGTF profiles.
>
> I.e. no getting the custodial staff, or medical staff, or HR staff etc
> to audit for you - that ain't gonna fly - unless they also have relevant
> qualifications from the subsequent list. Hope that clarifies things...
>
> Regards,
> -Scott
>
> Yoshio Tanaka wrote:
> > Hi Scott,
> >
> > As you might see in the meeting minutes which was sent by Dave, we got
> > a comment about Auditor Qualification.
> >
> > ----------------------------------------------------------------------
> > Auditor Qualification
> > The audit/assessment/evaluation team and the individuals on that team,
> > should be qualified to assess the policies and practices of a PKI.
> > Auditors should be competent to evaluate the CA management processes
> > and operational procedures, its related IT security components and its
> > PKI-unique elements. A PKI audit team shall consist of individuals who
> > together have the necessary skills and experience to assess the
> > policies, procedures and practices of the PKI. Auditors should be
> > individually and organizationally independent of the PKI that is being
> > audited.
> >
> > The following list comprises a set requirements for considering the
> > expertise and qualifications of members of the assessment team
> > carrying out a PKI audit:
> > - Professional Certifications such as CISSP and CISA or equivalent;
> > - Successful completion of training courses in assessment of IT
> > security controls;
> > - ...
> > ----------------------------------------------------------------------
> >
> > We got a comment that the list of requirements is very heavy,
> > particularly the professional certification.
> > Do you intend that auditors must satisfy all the requirements?
> > Would you clarify your intention?
> >
> > Thanks,
> >
> > --
> > Yoshio Tanaka (yoshio.tanaka at aist.go.jp)
> > http://ninf.apgrid.org/
> > http://www.apgridpma.org/
> >
> >
> > --
> > caops-wg mailing list
> > caops-wg at ogf.org
> > http://www.ogf.org/mailman/listinfo/caops-wg
> >
>
> --
> Scott Rea
> Director, HEBCA|USHER Operating Authority
> Dartmouth Senior PKI Architect
> Peter Kiewit Computing Services
> Dartmouth College
> HB 6238, #058 Sudikoff
> Hanover, NH 03755
>
> Em: Scott.Rea at Dartmouth.edu
> Ph#(603) 646-0968
> Ot#(603) 646-9181
> Ce#(603) 252-7339
>
More information about the caops-wg
mailing list